The National Institute of Standards and Technology has two new standards being drafted that will further address cloud security, including a methodology that will help organizations determine what kind of cloud would best fit their needs.
Dr. Michaela Iorga, senior security technical lead for cloud computing at NIST, told the audience at the Cloud Security Alliance federal summit that concerns about the safety of data is the primary impediment to adoption.
“We have to understand what we fear the most” about the cloud, Iorga said. “It’s loss of control – 75 percent fear losing control of their data. We do not trust the cloud. [So] how can we build that trust?”
The new standards – 800-173, Cloud-Adapted Risk Management Framework: Guide for Applying the Risk Management Framework to Cloud-based Federal Information Systems, and 800-174, Security and Privacy Controls for Cloud-based Federal Information Systems – are designed to overlay and elaborate upon already-existing standards that lay out the basics for cloud architecture and security.
“In our cloud security reference architecture [NIST 500-299], we had an epiphany” for the draft cloud risk management standard, Iorga said. “This methodology can help select the best-fitting cloud architecture … Our parents used to buy fabric and make their own suits, and they fit perfectly. What you have to do is your homework. Don’t purchase the cloud first, then tailor it. This is what we learned from the initial NIST architecture reference document.”
Iorga suggested that organizations use FedRAMP, CSA’s Security, Trust and Assurance Registry (STAR), or other certification and authorization programs to make decisions about cloud. “You build a trust relationship with that entity,” she said, but “you have to verify. You can’t trust and not verify.”
Organizations looking to move to the cloud need to have real teams in place to help evaluate providers, Iorga said. “It’s not a one-person job … Acquisition experts in the past asked for a 10-page summary of what they should look for. That’s not going to happen.”
Privacy is one aspect of security policy. “If we do it right, 800-174 should have all the baseline controls from FedRAMP already in place,” Iorga said. The draft policy will extend beyond those baselines, however. “We tried to look at what would be necessary for different impact levels. We are planning to do the same thing with FedRAMP Plus.”